Security

Checklist for team leaders

Establish policies and processes

• Review telework agreements and policies to ensure they comply with your agency’s information security policies.
• Create a clear, written data handling policy that accounts for realities of working outside a physical office (e.g., working on the laptop in view of family members).
• Enforce personal privacy requirements for records.
• Keep all policies accessible in a place where everyone knows to look for them (like Confluence or other team collaboration tool).
• Track removal and return of potentially sensitive materials, such as personnel records.

Enforce secure login practices

• Choose a password manager and make sure teams adopt it for secure, unique passwords across all logins.
• Enforce two-factor authentication across agency systems and employee logins.
• Provide training on use of password management and two-factor authentication (this can be a simple half-day workshop to onboard everyone to the tools and practice using them).
• Explicitly forbid the use of passwords written on sticky notes or browser auto-fill passwords for agency system logins.

Ensure secure systems access for teams

• Set up a Virtual Private Network (VPN) for secure internet connection, and confirm that your employees can access it from their homes.
• Make sure the right employees can securely login and access systems remotely (this can mean expanding access for some employees and limiting it for others).
• Consider reimbursing employees if they need to use their mobile hotspot for remote systems access.

Provide security training

• Information systems security training (can be provided by third-party vendor)
• Workshops for setting up and using password manager and two-factor authentication
• Training on recognizing and avoiding phishing attacks (here’s a simple quiz you can use to test employee awareness)

Checklist for teams

Beware of phishing / malware / hacking

• Emails that ask you to confirm personal information
• Email addresses or websites that don’t look genuine
• High-intensity subject lines or messaging (i.e., “Urgent COVID Directive!”)
• Don’t open attachments you don’t recognize

Use secure login practices

• Onboard to the password manager tool your team is using
• Set an example to others if your team isn’t collectively using a password manager (and perhaps offer to lead a one-hour workshop to help colleagues get set up)
• Avoid browser password autofill or writing passwords on sticky notes

Protect your devices and hardware

• Enable remote lock-out and re-set on your phone / laptop
• Require password entry on power-up and login
• Close laptop and remove CAC / PIV card when not in use
• Encrypt hard disks (and wipe disks before giving away or discarding)
• Never leave devices in the car or out of your sight
• Lock your doors when you leave the house
• Don’t use a thumb drive unless you know where it came from

Practice good security habits

• Comply with organizational policies and with any additional requirements spelled out in your telework agreement.
• Use only your agency services and tools for email, file sharing, and other work activities – not your personal accounts.
• Avoid unsecured WiFi in public places when working on sensitive information (mobile phone hotspot is also not entirely secure). Use agency VPN for secure connection.
• Keep software and systems up-to-date – the latest version will always have the best security fixes. This includes:
  • Cell phone operating system
  • Web browser
  • Laptop / computer operating system
  • Web tools and apps (video conferencing, etc.)

Tools

Password management

• LastPass
• 1Password
• Passpack

Two-factor authentication

• LastPass Authenticator
• Authy
• YubiKey

Resources

Guidance

• Security & IT (U.S. Office of Personnel Management)
• Telework Security Basics (NIST)
• Enterprise VPN Security (U.S. Department of Homeland Security)
• Security for Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Solutions (NIST)
• Cyber-Safety for Mobile Workers (British Columbia Office of the Chief Information Officer)
• Cybersecurity Recommendations for critical infrastructure using videoconferencing (CISA)
• Guidance for securing videoconferencing (CISA)

Videos

• Telework Security Basics from NIST
• What is Two-Factor Authentication? (Duo Security)

Posts

• Back to basics: Multi-factor authentication (MFA) (NIST)
• Why you should use a password manager, and how to get started (How To Geek)
• 5 ways to spot a phishing email (National Cybersecurity Alliance)
• How to identify digital scams in 2020 (The Gateway)
• Selecting and Safely Using Collaboration Servicesfor Telework (National Security Agency)
• Zoom security fixes and Zoom bombing (John O-Duinn)

Related

• Communications
• Managing
• Meetings
• Project management
• Technology